[OpenID] Phishing resistant policy of PAPE
Eric Norman
ejnorman at doit.wisc.edu
Wed Oct 29 01:49:44 UTC 2008
On Oct 28, 2008, at 8:06 PM, Breno de Medeiros wrote:
> Ok, so the scenario is:
>
> 1. Site example.com is a respectable RP that accepts only PAPE-enabled
> OPs, such as unphishable-OP.com
> 2. Site evil.com is an impostor to site example.com, and wants to get
> the user's credit card by impersonating example.com.
> 3. Site evil.com implements a fake replica of example.com (say
> examp1e.com) and uses PAPE to authenticate users via the legitimate
> OP.
> 4. User logs into site examp1e.com using the real unphishable-OP.com
> (since OP is using un-phishable authentication) and now is fairly
> confident that it is talking instead to example.com and enters the
> credit card.
That's mostly the idea, except maybe #4. The user supplies their
credit card number to evil.com. Is that what you were trying to say?
> The problem with that scenario is that we are already assuming that
> the user is ignoring all types of signals at examp1e.com related to,
True enough. And the so-called phishing resistance of OpenID doesn't
change this. I.e. it doesn't add any different signals that can't be
faked by evil.com. That's the point; That's why I say the phrase
is misleading.
Eric Norman
More information about the general
mailing list